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Abstract 

We  set  out  a  logic  for  reasoning  about  multilevel  security 
of  probabilistic  systems.  This  logic  includes  modalities 
for  time,  knowledge,  and  probability.  In  earlier  work 
we  gave  syntactic  definitions  of  multilevel  security  and 
showed  that  their  semantic  interpretations  are  equiva¬ 
lent  to  independently  motivated  information-theoretic 
definitions.  This  paper  builds  on  that  earlier  work 
in  two  ways.  First,  it  substantially  recasts  the  lan¬ 
guage  and  model  of  computation  into  the  more  standard 
Halpern- Tuttle  framework  for  reasoning  about  knowl¬ 
edge  and  probability.  Second,  it  brings  together  two 
distinct  characterizations  of  security  from  that  work. 
One  was  equivalent  to  the  information-theoretic  secu¬ 
rity  criterion  for  a  system  to  be  free  of  covert  channels 
but  was  difficult  to  prove.  The  other  was  a  verifica¬ 
tion  condition  that  implied  the  first;  it  was  more  eas¬ 
ily  provable  but  was  too  strong.  This  paper  presents 
a  characterization  that  is  syntactically  very  similar  to 
our  previous  verification  condition  but  is  proven  to  be 
semantically  equivalent  to  the  security  criterion.  The 
new  characterization  also  means  that  our  security  crite¬ 
rion  is  expressible  in  a  simpler  logic  and  model. 

1  Introduction 

Multilevel  security  is  the  aspect  of  computer  security 
concerned  with  protecting  information  that  is  classi¬ 
fied  with  respect  to  a  multilevel  hierarchy  (e.g.,  UN¬ 
CLASSIFIED,  SECRET,  TOP  SECRET).  A  probabilis¬ 
tic  system  is  a  hardware  or  software  system  that  makes 
probabilistic  choices  (e.g.,  by  consulting  a  random  num¬ 
ber  generator)  during  its  execution.  Such  probabilistic 
choices  are  useful  in  a  multilevel  security  context  for 
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introducing  noise  to  reduce  the  rate  of  (or  eliminate)  il¬ 
licit  communication  between  processes  at  different  clas¬ 
sification  levels.  In  this  paper,  we  are  concerned  with 
definitions  of  perfect  (information-theoretic)  multilevel 
security  in  the  sense  that  the  definitions  rule  out  all  il¬ 
licit  communication  without  relying  on  any  complexity- 
theoretic  assumptions.  That  is,  our  model  allows  the 
system  penetrators  to  have  unlimited  computational 
power  and  yet,  our  definitions  are  sufficient  to  ensure 
that  there  can  be  no  illicit  communication. 

The  motivation  for  reasoning  about  the  probabilistic  be¬ 
havior  of  systems  has  appeared  in  examples  and  dis¬ 
cussions  of  many  authors  (cf.  [Bro91,  Gra92,  MR88, 
McC88,  McL90,  WJ90]).  Essentially,  the  motivation 
is  that  it  is  possible  for  a  probabilistic  system  to  sat¬ 
isfy  many  existing  definitions  of  security  (e.g.,  Suther¬ 
land’s  Nondeducibility  [Sut86],  McCullough’s  Restnc- 
tiveness  [McC90],  etc.)  and  still  contain  probabilistic 
covert  channels. 

A  primary  contribution  of  our  earlier  work  [GS92]  was 
the  unification  of  the  logical  approach  to  multilevel  secu¬ 
rity  developed  by  Glasgow,  MacEwen,  and  Panangaden 
[GMP90]  and  Bieber  and  Cuppens  [BC92]  with  the  work 
on  security  of  probabilistic  systems  done  by  McLean 
[McL90],  Browne  [Bro89],  and  Gray  [Gra92].  In  partic¬ 
ular,  we  proved  that  the  semantic  interpretation  of  a  log¬ 
ical  formula  due  to  Glasgow  et  al.  is  equivalent  to  Gray’s 
Probabilistic  Noninterference  (which  is  itself  equivalent 
to  Browne’s  Stochastic  Non-Interference) .  We  also  gave 
a  verification  condition  (in  our  logic)  and  proved  that 
it  is  equivalent  to  Gray’s  Applied  Flow  Model  (which  is 
closely  related  to  McLean’s  Flow  Model). 

This  paper  builds  on  that  earlier  work  in  two  funda¬ 
mental  ways.  First,  we  present  a  new  logic  and  corre¬ 
sponding  semantics  that  is  designed  to  substantially  re¬ 
cast  our  previous  work  into  the  more  standard  Halpern- 
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Tuttle  framework  for  reasoning  about  probability  and 
knowledge  in  computing  systems  [HT93].  Second,  we 
give  a  logical  characterization  of  security  that  does  the 
job  of  a  security  definition  while  remaining  very  similar 
in  form  to  the  verification  condition.  It  also  gives  a  se¬ 
curity  definition  in  terms  of  simpler  and  more  standard 
modalities  than  the  definitions  in  [GS92]. 

The  remainder  of  the  paper  is  organized  as  follows.  In 
§2  we  set  out  our  model  of  computation.  In  § §3  and  4, 
we  set  out  the  syntax  and  semantics  of  our  logic.  In  §5 
we  state  our  definition  of  security  and  prove  that  it  is 
equivalent  to  Probabilistic  Noninterference.  Finally,  in 
§6,  we  give  some  conclusions  of  this  work. 

2  System  Model 

In  this  section,  we  describe  our  system  model.  This  is 
the  model  by  which  we  will  (in  §4)  give  semantics  to 
our  logic.  First,  we  describe  the  general  system  model, 
which  is  taken  from  Halpern  and  Tuttle  [HT93].  Then, 
we  tailor  the  model  to  our  needs  by  (in  Halpern  and  Tut¬ 
tle’s  terminology)  choosing  the  “adversaries”.  Finally, 
we  impose  some  additional  structure  on  the  model,  re¬ 
sulting  in  our  application-specific  model. 

2.1  General  System  Model 

In  this  subsection  we  review  the  general  system  model 
of  Halpern  and  Tuttle.  A  complete  description  of  their 
model  can  be  found  in  [HT93]. 

We  have  a  set  of  agents,  P\,  P2,  ■  ■  ■ ,  Pn,  each  with  its 
own  local  state.  The  global  state  is  an  n-tuple  of  the 
local  agents’  states.  A  run  of  the  system  is  a  mapping 
of  times  to  global  states.  We  assume  that  time  is  dis¬ 
crete  because  we  are  dealing  with  security  at  the  digital 
level  of  the  system.  We  are  not,  for  example,  address¬ 
ing  security  issues  such  as  analog  channels  in  hardware. 
Therefore,  as  in  [HT93],  we  will  assume  that  times  are 
natural  numbers. 

The  probabilities  of  moving  among  global  states  are  rep¬ 
resented  in  the  model  by  means  of  labeled  computation 
trees.  The  nodes  of  the  trees  represent  global  states. 
For  any  given  node  in  a  tree,  the  children  of  that  node 
represent  the  set  of  global  states  that  could  possibly 
come  next.  Each  arc  from  a  node  to  one  of  its  children 
is  labeled  with  the  probability  of  moving  to  that  state. 
Thus,  from  any  given  node,  the  sum  of  the  probabilites 
on  its  outgoing  arcs  must  be  one.  As  in  [HT93],  we  also 
assume  that  the  set  of  outgoing  arcs  is  finite  and  that  all 
arcs  are  labeled  with  nonzero  probabilities.  This  final 
assumption  can  be  viewed  as  a  convention  that  if  the 
probability  of  moving  from  state  x  to  state  y  is  zero, 
then  state  y  is  not  included  as  a  child  of  state  x. 

Certain  events  in  a  system  may  be  regarded  as  nonprob- 
abilistic  (while  still  being  nondeterministic).  The  typi¬ 
cal  example  occurs  when  a  user  is  to  choose  an  input  and 
in  the  analysis  of  the  system,  we  do  not  wish  to  assign 


a  probability  distribution  to  that  choice;  in  such  cases, 
we  regard  the  choice  as  nonprobabilistic.  All  nonprob- 
abilistic  choices  in  the  system  are  lumped  into  a  single 
choice  that  is  treated  as  being  made  by  an  “adversary” 
prior  to  the  start  of  execution.  Thus,  after  this  choice  is 
made,  the  system’s  execution  is  purely  probabilistic.  In 
Halpern  and  Tuttle’s  words,  the  nonprobabilistic  choices 
have  been  “factored  out”  . 

In  the  model  of  computation,  each  possible  choice  by  the 
adversary  corresponds  to  a  labeled  computation  tree.  In 
other  words,  a  system  is  represented  as  a  set  of  compu¬ 
tation  trees,  each  one  corresponding  to  a  different  choice 
by  the  adversary.  There  is  no  indication  how  the  adver¬ 
sary’s  choice  is  made,  just  that  it  is  made  once  and  for 
all,  prior  to  the  start  of  execution. 

2.2  Application-Specific  System  Model 

In  this  section,  we  impose  some  additional  structure 
on  the  general  model  described  in  the  previous  section. 
We  fix  the  set  of  agents,  fix  our  model  and  intuitions 
regarding  communication,  place  some  (environmental) 
constraints  on  the  agents,  and  fix  the  set  of  choices  avail¬ 
able  to  the  adversary. 

AGENTS  For  our  purposes  we  can  limit  the  model  to 
three  agents:  (1)  the  system  under  consideration,  de¬ 
noted  E,  (2)  the  covert  senders  (or  alternatively,  the 
high  environment),  denoted  Ti,  and  (3)  the  covert  re¬ 
ceivers  (or  alternatively,  the  low  environment),  denoted 
C.  In  the  remainder  of  the  paper,  we  will  tacitly  as¬ 
sume  that  the  global  system  is  comprised  of  these  three 
agents. 

MODEL  OF  COMMUNICATION  Our  model  of 
communication  is  similar  to  those  of  [BC92],  [Gra92], 
and  [Mil90] .  We  view  E’s  interface  as  a  collection  of 
channels  on  which  inputs  and  outputs  occur.  Since  we 
consider  the  agent  Ti  (resp.,  C)  to  consist  of  all  process¬ 
ing  that  is  done  in  the  high  (resp.,  low)  environment, 
including  any  communication  mechanism  that  delivers 
messages  to  E,  we  will  not  need  to  model  messages 
in  transit  or,  in  Halpern  and  Tuttle’s  terminology,  the 
state  of  the  environment;  rather,  these  components  of 
the  global  state  will  be  included  as  part  of  Ti ’s  and  £’s 
state. 

In  many  systems  of  interest,  the  timing  of  events  is 
of  concern.  (See  [Lam73]  for  an  early  description  of 
covert  communication  channels  that  depend  on  timing; 
see  [Wra92]  for  more  recent  work.)  In  such  cases,  we 
model  the  passage  of  time  by  taking  the  set  of  times 
(i.e. ,  the  domain  of  the  runs)  to  be  the  ticks  of  some 
clock  that  is  independent  of  the  covert  senders’  and  re¬ 
ceivers’  processing.  For  example,  we  may  think  of  this 
clock  as  being  E’s  system  clock.  In  this  way  we  can 
properly  account  for  covert  channels  that  depend  on 
time.  Note  that  we  are  considering  a  worst-case  sce¬ 
nario.  This  means  that  we  consider  the  fastest  way  that 
adversaries  might  synchronize  as  a  clock.  If  they  can- 
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not  find  a  common  clock,  they  cannot  communicate  by 
means  that  depend  on  timing. 

Since  the  mechanisms  of  high-level1  I/O  routines  may 
introduce  covert  channels  (see,  e.g.,  [McC88,  §2.3]),  we 
take  a  very  low-level  view  of  I/O.  In  particular,  we  as¬ 
sume  one  input  and  one  output  per  channel  per  unit 
time.  That  is,  for  each  time  we  have  a  vector  of  inputs 
(one  for  each  channel)  and  a  vector  of  outputs  (one  for 
each  channel).  If  a  given  agent  produces  no  new  data 
value  at  a  given  time,  it  may  in  fact  serve  as  a  sig¬ 
nal  in  a  covert  channel  exploitation.  Hence,  we  treat 
such  “no  new  signal”  events  as  inputs.  Similarly,  we  do 
not  consider  the  possibility  that  the  system  can  prevent 
an  input  from  occurring.  Rather,  the  system  merely 
chooses  whether  to  make  use  of  the  input  or  ignore  it. 
Any  acknowledgement  that  an  input  has  been  received 
is  considered  to  be  an  output. 

Given  these  considerations,  we  fix  our  model  of  commu¬ 
nication  as  follows.  We  assume  the  following  basic  sets 
of  symbols,  all  nonempty: 

C:  a  finite  set  of  input/output  channel  names, 

Cl,  •  •  •  ,  Cfc, 

I:  representing  the  set  of  input  values, 

O:  representing  the  set  of  output  values,  and 

N+:  representing  the  set  of  positive  natural  numbers. 
This  set  will  be  used  as  our  set  of  “times” . 

Since  there  is  one  input  per  channel  at  each  time,  we 
will  be  talking  about  the  vector  of  inputs  that  occurs 
at  a  given  time.  We  will  denote  the  set  of  all  vectors  of 
inputs  by  I[C'\.  Typical  inputs  vectors  will  be  denoted 

a,  a',  a  i, .  .  .  £  I[C], 

Similarly,  we  will  denote  the  set  of  all  output  vectors 
by  0\C ]  and  typical  output  vectors  will  be  denoted 

b, b',bu...  eO[C\. 

To  talk  about  the  history  of  input  vectors  up  to  a  given 
time,  we  introduce  notation  for  traces.  We  will  denote 
the  set  of  input  traces  of  length  k  by  Ic,k-  Mathemat¬ 
ically,  Ictk  is  a  shorthand  for  the  set  of  functions  from 
C  x  {  1,  2,  .  .  .k  }  to  I.  Therefore,  for  a  trace  a  £  Ic,k, 
we  will  denote  the  single  input  on  channel  c  £  C  at  time 
k'  <  k  by  a(c,  kr). 

We  will  also  need  to  talk  about  infinite  traces  of  inputs. 
For  this  we  use  the  analogous  notation  Ic,oo,  which  is 
shorthand  for  the  set  of  functions  from  C  x  N+  to  I. 

Similarly,  we  will  denote  the  set  of  output  traces  of 
length  k  by  Oc,k  and  the  set  of  infinite  output  traces 
by  Oc, oo-  Naturally,  for  an  output  trace  /?,  f3(c,k)  rep¬ 
resents  the  output  on  channel  c  at  time  k. 

1In  this  context,  “high-lever’  means  highly  abstract  rather 
than  highly  classified. 


There  will  be  situations  when  we  want  to  talk  about 
vectors  or  traces  of  inputs  or  outputs  on  some  subset 
of  the  channels,  S  C  C.  In  such  cases  we  will  use  the 
natural  generalizations  of  the  above  notations,  viz,  I[S], 
Is}ki  Gyooi  etc. 

ENVIRONMENTAL  CONSTRAINTS  Any  given 
agent  will  be  able  to  see  the  inputs  and  outputs  on  a 
subset  of  the  channels.  We  make  this  precise  by  “re¬ 
stricting”  vectors  and  traces  to  subsets  of  C .  Given  an 
input  vector  a  £  I[C'\  and  a  set  of  channels  S  C  C ,  we 
define  a  \  S  £  I[S]  to  be  the  input  vector  on  channels 
in  S  such  that  a  \  S(c)  =  a(c)  for  all  c  £  S. 

Similarly,  given  an  input  trace  a  £  Ictk  and  a  set  of 
channels  S  C  C ,  we  define  a  \  S  £  I,s,k  to  be  the  input 
trace  for  channels  in  S  such  that  a  \  S(c,  kr)  =  a(c,  kr) 
for  all  c  £  S  and  all  k'  <  k. 

We  assume  that  the  set  of  low  channels,  denoted  L,  is  a 
subset  of  C .  Intuitively,  L  is  the  set  of  channels  that  the 
low  environment,  C,  is  able  to  directly  see.  In  particular, 
C  is  able  to  see  both  the  inputs  and  the  outputs  that 
occur  on  channels  in  L. 

In  practice,  there  will  be  some  type  of  physical  or  pro¬ 
cedural  constraint  on  the  agent  C  to  prevent  it  from 
directly  viewing  the  inputs  and  outputs  on  channels  in 
C'  —  L.  On  the  other  hand,  we  place  no  constraints  on 
the  set  of  channels  that  Ti  is  able  to  see.  In  particu¬ 
lar,  we  make  the  worst-case  assumption  that  Ti  is  able 
to  see  all  inputs  and  outputs  on  all  channels.  These 
considerations  are  consistent  with  what  we’ve  called 
the  “Secure  Environment  Assumption”  in  previous  work 
[Gra92,  GS92].  In  the  present  paper,  this  assumption  is 
made  precise  in  terms  of  our  definition  of  the  adversary 
to  be  given  next. 

THE  ADVERSARY  As  discussed  above,  in  Halpern 
and  Tuttle’s  framework,  all  nonprobabilistic  choices  are 
factored  out  of  the  execution  of  the  system  by  fixing 
an  adversary  at  the  start  of  execution.  To  make  use 
of  this  framework,  we  must  define  the  set  of  possible 
adversaries  from  which  this  choice  is  made. 

The  “adversary”  in  our  application  is  the  pair  of  agents, 
Ti  and  C,  that  are  attempting  to  send  data  from  the 
high  environment  across  the  system  E  to  the  low  envi¬ 
ronment.  To  be  fully  general,  we  model  these  agents  as 
mixed  strategies  (in  the  game-theoretic  sense).  That  is, 
at  each  point  in  the  execution  of  the  system  the  strat¬ 
egy  gives  the  probability  distribution  over  the  set  of 
next  possible  inputs,  conditioned  on  the  history  up  to 
the  current  point.  In  the  next  section,  we  present  an 
example  to  motivate  the  need  for  such  generality.  Be¬ 
fore  doing  that,  we  make  the  adversary  precise  with  the 
following  two  definitions. 

Definition  2.1  An  adversary  is  a  conditional  proba¬ 
bility  function,  A(a  \  a,/3,k).  Here  a  £  I[C'\  and  k  is 
some  time  such  that  there  is  a  time  k'  with  k  <  k'  <  oo, 
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and  a  £  Ic,k'  and  /?  £  Oc,k'-  (The  k  indicates  that  the 
probability  of  a  is  conditional  only  on  the  restriction  of 
a  and  [3  to  k.)  □ 

Intuitively,  the  adversary  describes  the  environment’s 
conditional  distribution  on  the  next  input  vector,  given 
the  previous  history  of  inputs  and  outputs.  For  exam¬ 
ple,  at  k  =  0,  A(a  |  a,  /?,  k)  gives  the  probability  of  the 
environment  producing  a  at  the  first  time  unit,  given 
the  empty  history. 

Later  in  this  section,  we  describe  how  a  given  adversary 
A  and  the  description  of  a  particular  system,  E,  are 
used  to  construct  the  corresponding  computation  tree 

Ta- 

Definition  2.2  We  say  that  an  adversary  A  satisfies 
the  Secure  Environment  Assumption  with  respect  to  a 
set  of  channels  L  C  C'  iff  there  exists  a  pair  of  condi¬ 
tional  probability  functions  EL  and  C  such  that  for  all 
a  £  I[C],  k  £  N+,  all  a  £  Ic,k,  and  all  9  E  Oc,k, 

A(a  |  a,  /?,  k)  = 

EL(a\(C  —  L)  |  a,  f3,  k)  ■  C{a\L  \  cx\L ,  (3\L ,  k) 
(where  •  denotes  real  multiplication).  □ 

The  Secure  Environment  Assumption  can  be  intuitively 
understood  as  saying  that  the  input  on  channels  in  C'—L 
at  time  k  is  (conditionally)  statistically  independent  of 
the  input  on  channels  in  L  at  time  k,  and  the  input  on 
channels  in  L  at  time  k  depends  only  on  previous  inputs 
and  outputs  on  channels  in  L.  For  the  remainder  of  this 
paper,  we  will  assume  that  all  adversaries  satisfy  the 
Secure  Environment  Assumption. 

Since  there  is  one  tree  for  each  possible  adversary,  we 
can  think  of  the  set  of  trees  as  being  indexed  by  the 
adversaries.  Therefore,  we  will  often  write  Ta  ,  Ta>  ,  Ta , , 
etc. 

It  is  clear  that  for  an  adversary  A  that  satisfies  the  Se¬ 
cure  Environment  Assumption  (wrt  L),  the  conditional 
probability  functions  EL  and  C  that  must  exist  are  in 
fact  unique.  Further,  given  EL  and  C,  there  is  a  unique 
adversary,  A,  for  which  EL  and  C  are  the  probability 
functions  that  satisfy  the  corresponding  constraint.  We 
may  therefore  sometimes  write  Tntc,  Tw  ,c ,  etc.  when 
we  want  to  refer  to  the  parts  of  the  adversary  individu¬ 
ally. 

Note  that  our  definition  of  an  adversary  is  not  meant 
to  be  as  general  as  the  adversary  discussed  by  Halpern 
and  Tuttle.  (In  fact,  Halpern  and  Tuttle  give  no  struc¬ 
ture  at  all  to  their  adversary.)  Rather,  our  adversary 
is  application-specific;  in  particular,  it  is  for  reasoning 
about  multilevel  security  of  probabilistic  systems  and  is 
not  designed  to  be  used  outside  that  domain. 

On  the  other  hand,  this  particular  adversary  represents 
a  novel  application  of  Halpern  and  Tuttle’s  framework. 


In  their  examples,  the  adversary  represents  one  or  both 
of  two  possible  things: 

•  the  initial  input  to  the  system;  and 

•  the  schedule  according  to  which  certain  events  (e.g., 
processors  taking  steps)  occur. 

In  contrast,  our  adversary  does  not  represent  a  given 
input  to  the  system.  Rather,  it  represents  a  mixed 
strategy  for  choosing  the  inputs  to  the  system.  In  some 
sense,  we  can  think  of  this  as  a  generalization  on  the  first 
item  above;  however,  our  application  still  fits  within  the 
framework  set  out  by  Halpern  and  Tuttle. 

THE  STATE  OF  THE  SYSTEM  At  any  given 
point,  P,  in  any  given  computation  tree,  Ta,  there 
should  be  a  well-defined  state  of  the  system.  For  our 
purposes,  the  state  includes  the  following  information. 

1.  All  inputs  and  outputs  that  have  occurred  on  all 
channels  up  to  the  current  time. 

2.  Following  [HT93],  we  make  the  assumption  that  all 
points  in  all  trees  are  unique  by  assuming  that  the 
state  encodes  the  adversary.  That  is,  all  nodes  in 
tree  Ta  encode  A.  Note  that  we  do  not  assume  that 
any  given  agent  knows  the  adversary;  just  that  it  is 
somehow  encoded  in  the  state.  We  can  think  of  the 
high  part  of  the  adversary,  EL,  as  being  encoded  in 
the  high  environment  and  the  low  part,  C,  as  being 
encoded  in  the  low  environment. 

3.  Typically,  there  are  additional  components  of  the 
global  state  representing  the  internal  state  of  E. 
For  example,  in  describing  E,  it  is  often  conve¬ 
nient  to  use  internal  state  variables.  The  state  of 
these  variables  can  be  thought  of  as  a  vector  of  val¬ 
ues,  one  value  for  each  state  variable.  The  internal 
state,  when  it  exists,  will  be  denoted  c,  and  the 
history  of  internal  states  will  be  denoted  j. 

COMPUTATION  TREES  Now  that  we  have  set  out 
the  possible  states  of  the  system  (i.e. ,  the  points  of  com¬ 
putations),  we  can  talk  about  the  construction  of  the 
computation  trees. 

For  each  reachable  point,  P ,  we  assume  that  E’s  proba¬ 
bility  distribution  on  outputs  is  given.  For  example,  this 
can  be  given  by  a  conditional  probability  distribution, 
0(6,  c  |  a,/3,j,k),  where  c  is  the  vector  representing 
values  of  all  internal  state  variables  (i.e.,  the  internal 
system  state)  at  time  k  +  1,  h  £  0[C']  is  the  vector  of 
outputs  produced  by  the  system  at  k  + 1,  and  a,  /3,j  give 
the  history  through  k  of  inputs,  outputs,  and  internal 
state  values,  respectively. 

Given  0(6,  c  |  a,/3,j,k)  and  the  adversary,  A  we  can 
construct  the  corresponding  computation  tree  by  start¬ 
ing  with  the  initial  state  of  the  system  (i.e.,  the  point  at 
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the  root  of  the  tree  with  empty  histories  of  inputs,  out¬ 
puts,  etc.)  and  iteratively  extending  points  as  follows. 

Let  P  be  a  point  in  the  tree  with  internal  system  history 
7,  input  history  a,  and  output  history  3.  We  will  make 
P'  a  child  of  P  iff 

1.  P'  is  formed  from  P  by  modifying  the  internal  sys¬ 
tem  state  to  c  and  extending  P’s  input  history  (out¬ 
put  history,  resp.)  with  a  (b,  resp.);  and 

2.  both  0(6,  c  |  a,  /?,  7,  k)  and  A(a  |  a,  /?,  k)  are  posi¬ 
tive. 

In  such  cases,  we  label  the  arc  from  P  to  P'  with 
0(6,  c  |  a,/3,j,k )  •  A(a  \  a,/3,k),  i.e. ,  the  system,  E, 
and  the  environment,  A,  make  their  choices  indepen¬ 
dently. 

RUNS  OF  THE  SYSTEM  A  run  of  the  system  is 
an  infinite  sequence  of  states  along  a  path  in  one  of  the 
computation  trees.  When  we  want  to  talk  about  the 
particular  run,  p,  and  time,  k,  at  which  a  point  P  occurs, 
we  will  denote  the  point  by  the  pair  ( p,k ).  Further,  if 
we  wish  to  talk  about  the  various  components  of  the 
run,  i.e.,  the  trace  of  the  inputs,  a,  outputs,  /?,  or  other 
variables,  7,  we  will  denote  the  run  by  (a,/3, 7)  and 
denote  the  point,  P,  by  (a,/3,y,k). 

For  a  given  tree,  T,  we  denote  the  set  of  runs  (i.e.,  infi¬ 
nite  sequences  of  states),  formed  by  tracing  paths  from 
the  root,  by  runs(T). 

For  security  applications  we  are  concerned  with  infor¬ 
mation  flow  into  and  out  of  the  system  rather  than  with 
information  in  the  system  per  se.  Thus,  though  our 
system  model  is  adequate  to  represent  internal  states 
and  traces  thereof,  in  subsequent  sections  it  will  be 
adequate  to  represent  systems  entirely  in  terms  of  in¬ 
put  and  output.  For  example,  system  behavior  at  time 
k  can  be  represented  by  ‘0(6  |  a,/3,k)’  rather  than 
‘0(6,  c  |  a,  /?,  7,  k)’ . 

3  Syntax 

In  this  section  we  set  out  our  formal  language  and  use 
it  to  describe  two  simple  systems.  Then  we  give  the 
axioms  and  rules  of  our  logic. 

3.1  Formation  Rules 

To  describe  the  operation  of  the  system  under  consider¬ 
ation  (viz,  E),  we  use  a  variant  of  Lamport’s  Raw  Tem¬ 
poral  Logic  of  Actions  (RTLA)  [Lam91].2  The  primary 
difference  is  that  we  add  a  modal  operator  Pr i(p)  that 
allows  us  to  specify  and  reason  about  the  probabilistic 
behavior  of  the  system. 

2  Roughly  speaking,  Raw  Temporal  Logic  of  Actions  (RTLA)  is 
the  same  as  Lamport’s  Temporal  Logic  of  Actions  (TLA)  without 
the  treatment  of  stuttering  [Lam91].  Since  we  are  not,  in  this 
paper,  concerned  with  refinement,  we  omit  the  considerations  of 
stuttering  and  use  RTLA. 


From  the  previous  section,  we  assume  the  following  ba¬ 
sic  sets  of  symbols,  all  nonempty:  C,  I,  O,  and  also  M. 
Members  of  M  will  have  the  usual  representation — e.g., 
43.5  E  M. 

We  will  also  be  talking  about  the  subjects  (or  agents) 
of  the  system.  Formally,  a  subject,  S  C  C ,  is  identified 
with  the  process’s  view  of  the  system,  i.e.  the  set  of 
channels  on  which  it  can  see  the  inputs  and  outputs. 

Formulae  in  the  language  are  built  up  according  to  the 
following  rules. 

•  constants  from  the  set  of  basic  symbols  are  terms. 

•  state  variables  (representing  the  value  of  that  vari¬ 
able  in  the  current  state)  are  terms.  Among  the 
state  variables,  there  are  two  reserved  for  each  com¬ 
munication  channel.  For  each  c  E  U,  we  have  a 
state  variable  cm  that  takes  values  from  I,  and  an¬ 
other  state  variable  cout  that  takes  values  from  O. 
Note  that,  implicitly,  inputs  are  from  the  covert 
senders  and  receivers  into  the  system  (E)  and  out¬ 
puts  are  from  the  system  to  the  covert  senders  and 
receivers.  This  is  because  E  is  the  system  under 
consideration  (i.e.,  with  respect  to  which  we  are 
reasoning  about  security).  We  have  no  mechanism 
(and  no  need)  to  specify  communication  between 
agents  not  including  the  system  under  considera¬ 
tion. 

•  primed  state  variables  (e.g.,  c'ln)  are  terms.  (These 
represent  the  value  of  the  variable  in  the  next 
state.) 

•  We  use  standard  operators  among  terms  (e.g.,  + 
and  •  for  addition  and  multiplication,  respectively), 
with  parentheses  for  grouping  subterms,  to  form 
composite  terms. 

•  an  atomic  predicate  is  an  equation  or  inequality 
among  terms  not  containing  primed  state  variables. 

•  an  atomic  action  is  an  equation  or  inequality 
among  terms  (possibly  including  primed  as  well  as 
unprimed  state  variables).  (Note  that  all  predicates 
are  actions.) 

•  for  any  action,  ip,  and  for  any  subject  S  C  C, 
Prs(p)  is  a  real- valued  term  (representing  the  sub¬ 
jective  probability  that  S  assigns  to  the  formula  <pj. 

•  For  any  predicate,  p,  p  is  a  temporal  formula. 

•  For  any  action  or  temporal  formula  p,  Op  is  a  tem¬ 
poral  formula  (to  be  read  intuitively  as  always  p). 

•  We  build  up  composite  predicates,  actions,  and 
temporal  formulae,  resp.,  in  the  usual  recursive 
fashion  using  A,  V,  -1,  and  — 
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Now,  to  specify  and  reason  about  our  security  prop¬ 
erties  of  interest,  we  add  three  finite  sets  of  modal 
operators  on  formulae:  K\ ,  .  .  . ,  Kn ,  Ki ,  .  .  . ,  Kn ,  and 
R\,...,Rn,  representing  knowledge  of  a  (relatively) 
weak  subject,  knowledge  of  a  powerful  subject,  and 
permitted-knowledge  respectively  for  each  subject  (rep¬ 
resented  by  the  subscript  of  the  operator).  Therefore, 
we  add  the  following  formation  rules  to  our  syntax. 

•  For  any  action  (temporal  formula,  resp.)  ip,  and 
for  any  subject  S  C  C,  KsO  (representing  that 
the  weak  subject  S  knows  ip),  Ks(p)  (representing 
that  the  powerful  subject  S  knows  ip)  and  Rs(ip) 
(representing  that  S  has  permitted  knowledge  of  ip) 
are  actions  (temporal  formulae,  resp.). 

Later  in  the  paper,  we  will  make  the  meaning  of  these 
three  operators  precise.  For  now,  we  merely  mention 
that  the  weak-subject  knowledge  operators  ( Ks )  will 
be  given  the  standard  semantics  (e.g.,  as  in  [HT93] ) ; 
the  powerful-subject  knowledge  operators  (K,s)  will  be 
given  semantics  that  imply  greater  knowledge  on  the 
part  of  the  subject  (viz,  knowledge  of  the  probability  of 
certain  future  events). 

3.2  Examples 

We  now  give  two  simple  examples  of  how  to  describe  sys¬ 
tems  in  our  language.  Ultimately,  we  will  have  sufficient 
formal  machinery  to  show  that  one  of  these  systems  is 
secure  and  the  other  is  not;  however,  here  we  simply  set 
them  out  formally.  These  descriptions  are  meant  to  give 
the  reader  an  intuitive  feel  for  the  meaning  of  expres¬ 
sions  in  the  language.  Precise  meanings  will  be  given 
in  §4.  Also,  the  second  of  these  examples  will  motivate 
our  choice  of  modeling  adversaries  as  strategies. 

Example  3.1  The  first  example  is  a  simple  encryption 
box  that  uses  a  “one-time  pad”  [Den82].  It  has  two 
channels,  high  and  low.  At  each  tick  of  the  system  clock, 
it  inputs  a  0  or  1  on  the  high  channel  and  outputs  a  0 
or  1  on  the  low  channel.  The  low  output  is  computed 
by  taking  the  “exclusive  or”  (denoted  ®)  of  the  high 
input  and  a  randomly  generated  bit.  It  is  well  known 
that  this  results  in  an  output  stream  that  is  uniformly 
distributed.  Therefore,  we  can  describe  this  system  as 
follows. 

Let  C  =  {h,  /},  I  =  {0,  1},  and  O  =  {0,  1}.  Then,  the 
system  is  specified  by  the  following  formula. 

□  {Pfcd'out  =  0)  =  Prc{l'out  =  1)  =  0.5) 

In  this  formula,  lout  is  a  state  variable  representing  the 
output  on  the  low  channel,  l.  Therefore,  l'out  is  the 
output  on  l  at  the  next  time.  Further,  Prc{l'out  =  0) 
denotes  the  probability  that  the  output  on  /  is  a  0  at 
the  next  time.  Hence,  the  entire  formula  says  that  at  all 


times,  the  probability  of  E  producing  a  one  (1)  on  the 
next  clock  tick  is  equal  to  the  probability  of  producing 
a  zero  (0),  which  is  equal  to  0.5.  Note  that  we  have  not 
specified  anything  about  the  probability  distribution  on 
inputs,  since  that  is  part  of  the  environment  behavior 
rather  than  the  system  behavior. 

□ 

Example  3.2  The  second  example  is  an  insecure  ver¬ 
sion  of  the  simple  encryption  box.  This  system  was  first 
described  by  Shannon  in  [Sha58] . 

As  in  the  first  example,  at  each  tick,  E  computes  the 
“exclusive  or”  of  the  high  input  and  a  randomly  gen¬ 
erated  bit  and  sends  that  value  out  on  the  low  chan¬ 
nel.  However,  in  this  system,  the  randomly  generated 
bit  used  at  any  given  tick  is  generated  and  sent  out  on 
the  high  output  channel  during  the  previous  tick  of  the 
clock. 

This  can  be  expressed  in  our  formalism  as  follows.  Let 
C  =  {h,  /},  I  =  {0,  1},  and  O  =  {0,  1}.  The  following 
formula  specifies  the  system. 

P(Prc(h'0Ut  =  0)  =  Prc(h’out  =  1)  =  0.5) 

Chut  =  hout  ©  hln)) 
Note  that  in  the  second  conjunct,  hout  is  unprimed,  in¬ 
dicating  that  the  output  on  l  at  the  next  time  is  the 
“exclusive  or”  of  the  current  output  on  h  with  the  next 
input  on  h. 

Now  note  that  if  the  high  agent  ignores  its  output,  then 
this  system  acts  exactly  as  the  system  from  the  previous 
example  (and  can  be  used  for  perfect  encryption).  In 
particular,  suppose  we  were  to  model  an  adversary  as 
an  input  string — the  input  to  be  provided  by  the  high 
agent.  Then,  it  is  easy  to  see  that  for  any  adversary  (i.e. , 
any  high  input  string)  fixed  prior  to  the  start  of  execu¬ 
tion,  the  output  to  low  will  be  uniformly  distributed 
and,  in  fact,  will  contain  no  information  about  the  high 
input  string. 

However,  the  bit  that  will  be  used  as  the  one-time  pad 
at  time  t  is  available  to  the  high  agent  at  time  t  —  1. 
Therefore,  (due  to  the  algebraic  properties  of  “exclusive 
or”,  viz,  x  ©  x  ©  y  =  y)  the  high  agent  can  use  this 
information  to  counteract  the  encryption.  In  particular, 
the  high  agent  can  employ  a  (game-theoretic)  strategy 
to  send  any  information  it  desires  across  the  system  to 
the  low  agent. 

For  example,  suppose  the  high  agent  wishes  to  send  a 
sequence  of  bits,  &i ,  62 ,  -  -  We’ll  denote  the  high  input 
(resp.,  output)  at  time  k  by  hm(k)  (resp.,  hout(k)).  The 
appropriate  strategy  for  the  high  agent  is  as  follows. 

The  high  agent  chooses  its  input  for  time  k  + 1 
as  hm(k  +  1)  =  hout(k)  ©  hk. 

Thus,  the  output  to  low  at  time  k  + 1,  denoted  l0ut(k  + 1) 
is  computed  as  follows. 
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lout(k  +  1)  —  hout{k)  ®  hm(k  +  1) 

—  h  out  (k)  ©  hout(k)  ©  bk 

=  bk 

The  first  line  follows  from  the  system  description,  the 
second  from  the  high  strategy,  and  the  third  from  the 
properties  of  ©.  Thus,  by  employing  the  correct  strat¬ 
egy,  the  high  agent  can  noiselessly  transmit  an  arbitrary 
message  over  £  to  the  low  agent.  This,  of  course,  mo¬ 
tivates  our  choice  of  strategies  as  the  adversary,  rather 
than,  e.g.,  input  strings. 

□ 

We  now  have  some  sense  of  the  formal  language,  with 
the  exception  of  the  modal  operators  Ks,  Ks,  and  Rs- 
As  previously  mentioned,  these  operators  are  used  to 
formalize  the  security  properties  that  interest  us;  so, 
we  will  discuss  their  use  in  a  later  section.  First,  we 
describe  the  logical  axioms  and  inference  rules  that  are 
used  to  prove  properties  about  systems. 

3.3  The  Logic 

We  now  give  the  axioms  of  our  logic.  In  the  following,  we 
will  use  ‘p’  and  ‘ip’  to  refer  to  formulae  of  our  language. 

Propositional  Reasoning  All  instances  of  tautolo¬ 
gies  of  propositional  logic. 

Temporal  Reasoning  The  following  are  standard  ax¬ 
ioms  for  temporal  reasoning  about  discrete  sys¬ 
tems.  The  logic  they  constitute  is  generally  called 
S4.3 Dum  or  sometimes  D.  (See  [Gol92]  for  details. 
Note  also  that  these  are  the  formulae  Abadi  uses 
to  axiomatize  Lamport’s  TLA  [Aba90].)  We  have 
labeled  the  axioms  with  their  historical  names.  Let 
1 p  and  ip  be  formulae  of  our  language. 

K  0(p  — ^  r/;)  — >■  (Up  — >■  Oip) 

4  Op  — >  OOp 
D  Op  — >■  Op 

L  □(< p  A  Op  — ^  r/>)  V  D(i p  A  Oip  — >■  p') 

Z  0(0p  p)  (OOp  Op) 

cOp’  can  be  interpreted  roughly  as  saying  that  at 
some  point  p  is  true.  Formally,  it  is  viewed  as  nota- 

tional  shorthand:  for  all  formulae  p,  Op  =  — — ■  p. 
K  basically  guarantees  that  the  temporal  operator 
respects  modus  ponens.  Each  of  the  other  axioms 
captures  a  feature  of  time  that  we  desire.  4  gets  us 
transitivity.  D  guarantees  that  we  don’t  run  out  of 
time  points  (seriality).  L  guarantees  that  all  points 
in  time  are  connected.  And,  Z  guarantees  that  time 
is  discrete.  (Between  any  two  points  in  time  there 
are  at  most  finitely  many  other  points.) 


Real  Number  Axioms  Standard  Held  and  order  ax¬ 
ioms  for  the  real  numbers  (to  apply  to  members 
of  M  and  function  terms  with  range  M.)  We  will 
not  enumerate  these  axioms.  (See  any  elementary 
real  analysis  book  for  enumeration,  e.g.,  [Mar74]  or 
[Rud].) 

Epistemic  Reasoning  The  (nonredundant)  axioms  of 
the  Lewis  system  S5.  (cf.  [Che80]  or  [Gol92])  ap¬ 
ply  to  the  strong  knowledge  operators  (K;),  the 
weak  knowledge  operators  (Ki),  and  the  permitted- 
knowledge  operators  (Ri).  We  state  them  only  for 
the  (strong)  knowledge  operators.  As  for  temporal 
axioms,  we  give  the  axioms  their  historical  names. 
Let  S'  be  a  subject,  and  let  p  and  ip  be  formulae  of 
our  language. 

K  [Ks(<^>)  A  K s(p  — >■  ip)]  — >■  K.s(ip)  (Knowledge 
respects  modus  ponens.) 

T  Ks(p)  — >■  p  (What  one  knows  is  true.) 

5  -iKs(^)  — >■  K5 -iKs(^)  (If  you  don’t  know 
something,  then  you  know  that  you  don’t 
know  it.) 

We  also  have  two  axioms  for  relating  weak  knowl¬ 
edge  to  permitted  knowledge  and  permitted  knowl¬ 
edge  to  strong  knowledge. 

kR  Ks(p)  — >■  Rs(p) 

RK  Rs(p)  ^Ks(p) 

Random  Variable  Axioms  The  standard  require¬ 
ments  for  random  variables  (in  the  probability- 
theoretic  sense). 

PM  (Positive  Measure)  for  any  formula,  p,  and 
any  subject,  S,  Prs(p)  >  0  (The  probability 
of  any  event  is  greater  than  or  equal  to  zero.) 

NM  (Normalized  Measure)  for  any  channel,  c,  and 
any  subject,  S, 

Ei£l  Pr's(cm  =  i)  =  1  (The  probability  of 
all  possibilities  sums  to  one.) 

Togo  Prs(cout  =  o)  =  1 

Input/Output  Axioms  for  powerful-subject- 
knowledge  and  permitted-knowledge  of  inputs  and 
outputs.  Let  S  be  a  subject,  let  c  £  S  be  a  channel 
that  is  visible  to  S,  and  let  a  £  I  be  an  input,  ieO 
be  an  output,  and  r  £  M  be  a  real  number. 

KO  Prs(c'out  =  o)  =  r  ->■  K s(PrS(c'0Ut  =  o)  =  r) 
RI  Prs(c'm  =  i)  =  r  Rs(Prs(c'ln  =  i)  =  r) 

Intuitively,  KO  say  that  powerful  subjects  know  the 
distribution  on  their  own  outputs  conditioned  on  the 
previous  history  of  inputs  and  outputs  they  have  seen. 
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RI  says  that  all  subjects  are  permitted  to  know  the 
conditional  distribution  on  their  own  inputs. 

Note  that  a  powerful  subject  knows  the  distribution  on 
its  own  inputs  conditioned  on  the  previous  history  of  in¬ 
puts  and  outputs  it  has  seen;  this  follows  trivially  from 
RI  and  RK,  thus  we  have  a  theorem  KI,  which  is  anal¬ 
ogous  to  RI.  From  theorem  KI  and  axiom  KO  we  can 
inductively  show  that  powerful  subjects  know  the  prob¬ 
ability  of  all  events  they  can  see  in  finite  time. 

On  the  other  hand,  a  subject  is  permitted  to  know  the 
conditional  distribution  on  its  own  outputs  only  if  the 
system  is  secure — e.g.,  for  a  low  subject,  only  if  knowing 
that  distribution  does  not  reveal  any  information  about 
the  distribution  on  high  inputs.  The  absence  of  an  ax¬ 
iom  RO,  corresponding  to  KO,  is  what  syntactically 
captures  this. 

The  above  are  all  of  our  axioms.  We  now  give  the  rules 
of  our  logic,  which  are  all  standard. 

MP  (Modus  Ponens)  From  ip  and  ip  —>■  ip  infer  ip. 

Nec  (Necessitation)  This  rule  applies  to  all  of  the 
modal  operators  we  have  introduced:  □,  Ks,  K.s, 
and  Rs-  (It  is  called  ‘necessitation’  because  it  was 
originally  applied  to  a  necessity  operator.)  We  set 
it  out  for  □  only.  From  b  p  infer  b  Otp. 


Note  that  in  the  above,  ‘b  <p’  indicates  a  derivation 
of  i p  from  the  axioms  alone,  rather  than  from  a  set 
of  premises.  (Derivations  will  be  formally  defined  be¬ 
low.)  Thus,  in  the  case  of  knowledge  (strong  or  weak) 
for  example,  Nec  says  that  if  <p  is  a  theorem  (derivable 
without  any  premises)  then  all  subjects  know  <p. 

We  now  have  sufficient  machinery  to  give  a  characteri¬ 
zation  of  a  formal  derivation. 


Definition  3.3  Let  ,  be  a  finite  set  of  formulae 
of  our  language.  A  finite  sequence  of  formulae 
p i,  ip2,  <^3,  •  •  • ;  b’n  is  called  a  derivation  (of  pn  from  ,  ) 
iff  each  ipj.  (k  =  l,  ...  ,n)  satisfies  one  of  the  following: 


4  Semantics 

In  the  last  section  we  presented  a  syntactic  system.  So 
far  we  have  only  intuitive  meanings  to  attach  to  this 
formalism.  In  this  section  we  provide  semantics  for  our 
system  in  terms  of  the  Halpern-Tuttle  framework  and 
our  application-specific  model  set  out  in  §2. 

4.1  Semantic  Model 


A  model  M  is  a  tuple  of  the  form: 


weak  weak 

*T  ’  •  •  •  ’  K\V(C)\ 


powerful 
■'K\V(C)\  ’ 

b,  •  •  •  ,  S\T(C)\  ) 


Here,  M  and  its  operations  and  ordering  relation  gives 
us  the  real  numbers;  W  is  the  set  of  worlds  (i.e. ,  global 
states);  T  is  the  set  of  labeled  computation  trees  (with 
nodes  from  FF);  C,  I,  and  O  are  the  sets  of  channels, 
possible  inputs,  and  possible  outputs,  respectively;  v  is 
the  assignment  function,  which  assigns  semantic  values 
to  syntactic  expressions  at  each  world;  (values  of  v  at  a 
particular  world  P ,  will  be  indicated  by  the  projection 
cvpy);  the  anc[  Kweak  are  knowleclge  accessibil¬ 

ity  relations,  one  each  for  each  subject  S ;  and  the  6is 
are  permitted-knowledge  accessibility  relations,  also  one 
for  each  subject.  In  the  remainder  of  this  paper  we  will 
generally  denote  the  accessibility  relations  correspond¬ 
ing  to  subject  S  by  ‘KP0ll,erA^  cKweak^  anc|  These 
will  each  be  further  explained  when  we  come  to  the  as¬ 
signment  function. 


In  assigning  meaning  to  our  language,  it  is  of  funda¬ 
mental  importance  to  associate  a  probability  space  with 
each  labeled  computation  tree.  In  particular,  for  each 
labeled  computation  tree  T 4  we  will  construct  a  sample 
space  of  runs,  IZa,  an  event  space,  Xa  (i.e.,  those  sub¬ 
sets  of  7 Za  to  which  a  probability  can  be  assigned)  and 
a  probability  measure  ha  that  assigns  probabilities  to 
members  of  Xa- 


Our  construction  of  this  probability  space  is  quite  natu¬ 
ral  and  standard  (see,  e.g.,  [Sei92]  as  well  as  [HT93]  for 
two  instances).  We  will  not  go  into  detail  explaining  the 
basic  concepts  of  probability  and  measure  theory  here 
(cf.  [Hal50]  or  [Shi84] ) . 


•  rk  e  , 

•  ipk  is  an  axiom. 

•  1 pk  follows  from  some  theorem  by  Nec. 

•  For  some  i,j  <  k,  pk  results  from  pi  and  pj  by 

MP. 

We  write  ‘,  b  <£>’  to  indicate  a  derivation  of  <p  from  ,  , 
and  we  write  ‘b  <£>’  to  indicate  a  derivation  of  <p  from 
the  axioms  alone.  □ 

This  completes  our  statement  of  the  formal  system. 


Definition  4.1  For  a  labeled  computation  tree  T4,  the 
associated  sample  space  7 Za  is  the  set  of  all  infinite 
paths  starting  from  the  root  of  T4. 

The  set  e  C  7 Za,  is  called  a  generator  iff  it  consists 
of  the  set  of  all  traces  with  some  common  finite  pre¬ 
fix.  The  generators  are  the  probability-theoretic  events 
corresponding  to  finite  traces.  We  can  now  define  the 
event  space,  Xa,  to  be  the  (unique)  field  of  sets  gener¬ 
ated  by  the  set  of  all  generators  (i.e.,  Xa  is  the  smallest 
subset  of  T(1Za)3  that  contains  all  of  the  generators  and 
is  closed  under  countable  union  and  complementation). 

' 1  P  denotes  “powerset” . 
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Suppose  e  is  a  generator  corresponding  to  the  finite  pre¬ 
fix  given  by  ( p,k ).  Then,  the  probability  measure,  pji, 
is  defined  for  e  as  the  product  of  the  transition  proba¬ 
bilities  from  the  root  of  the  tree,  along  the  path  p,  up 
to  time  k.  Further,  there  is  a  unique  extension  of  p^  to 
the  entire  event  space  [Hal50].  □ 

4.2  Assignment  Function 

For  a  given  point,  P ,  we  will  assign  truth  values  to  tem¬ 
poral  formulae  ip  at  this  point.  In  addition,  we  assign 
values  to  variables,  for  example  the  input  on  a  channel, 
at  this  point.  The  assignment  function  that  does  both 
of  these  is  denoted  by  vp. 

To  define  vp,  we  will  need  to  assign  truth  values  to 
action  and  temporal  formulae.  Therefore  we  will  also 
define  functions  V(pltp2)  (where  Pi  and  P2  are  points) 
and  vp  (where  p  is  a  run)  to  assign  truth  values  to  action 
formulae  over  a  pair  of  points  and  temporal  formulae  on 
a  run,  respectively. 

We  define  vp,  W(plip2),  and  vp  mutually  recursively  be¬ 
low.  First  we  present  some  additional  notation. 

Notation  Since  nodes  are  unique  even  across  trees,  for 
a  given  node  P,  there  is  no  ambiguity  in  referring  to 
“the  tree  that  contains  P” .  In  the  following,  we  will  use 
tree(P)  to  denote  that  tree. 

Further,  since  there  is  a  one-to-one  correspondence  from 
trees  to  adversaries,  we  can  refer  to  “the  adversary  cor¬ 
responding  to  tree(P)” .  We  denote  that  adversary  by 

A(P). 

We  use  the  notation  succ(P)  to  denote  the  set  of  nodes 
that  succeed  P  in  tree(P). 

We  use  the  notation  extensions(P)  to  denote  the  set  of 
infinite  sequences  of  states  starting  at  P  in  tree(P). 

As  discussed  in  [HT93],  to  each  subject,  S,  and  point, 
P,  we  need  to  associate  a  sample  space,  , Ss,p-  Each 
such  sample  space  will  be  a  set  of  points  from  tree(P). 
Intuitively,  these  are  the  points  (within  the  tree  that 
contains  the  current  execution)  that  the  subject  S  con¬ 
siders  possible.  We  will  set  out  these  sample  spaces 
below.  For  the  time  being,  we  simply  make  use  of  the 
notation  Ss,p  to  refer  to  them. 

We  will  be  rather  abusive  in  the  use  of  our  probability 
measures  p^.  In  particular,  when  we  have  a  finite  set 
of  points,  x,  we  will  write  pa(x)  to  denote  the  prob¬ 
ability  (as  assigned  by  pjf)  of  passing  through  one  of 
the  points  in  x.  Technically,  this  is  wrong,  since  p ^  is 
defined  for  (certain)  sets  of  runs;  not  for  sets  of  points. 
However,  the  mapping  between  the  two  is  extremely 
natural;  the  set  of  runs  corresponding  to  a  point  is  the 
set  of  runs  that  pass  through  that  point.  Further,  by  the 
construction  of  our  probability  spaces,  all  sets  of  runs 
corresponding  to  finite  sets  of  points  are  measureable. 
Therefore,  there  is  no  danger  in  this  abuse  of  notation 
and  it  greatly  simplifies  our  presentation. 


As  is  standard  (see,  e.g.,  [HT93]),  we  will  be  using  ac¬ 
cessibility  relations — one  for  each  subject — on  points  to 
give  semantics  to  our  three  knowledge  operators.  We 
define  these  relations  below.  For  the  time  being,  we 
simply  make  use  of  the  notation  KPpwerful  to  refer  to  the 
powerful-subject  knowledge  accessibility  relation,  Kgeak 
to  refer  to  the  weak-subject  knowledge  accessibility  re¬ 
lation,  and  6s  to  refer  to  the  permitted-knowledge  ac¬ 
cessibility  relation.  □ 

We  now  define  vp,  r,(p1)p2),  and  vp.  Let  P  be  a  point 
at  time  k  in  the  execution  p  =  (a,  /?,  7)  in  computation 
tree  F4. 

•  Numbers  are  assigned  to  number  names. 

•  Members  of  I  and  O  are  assigned  to  their  syntactic 
identifiers. 

•  For  any  channel  c£C, 

vp{cm)  =  a(c,  k) 

•  For  any  channel  c£C, 

Vp(c0ut)  =  9(c,  k) 

•  For  any  variable  name,  X,  excluding  channel  vari¬ 
ables  (such  as  cm  or  cout) 

vP(X)=7(X,k) 

•  To  assign  truth  values  to  actions,  we  need  to  assign 
values  to  terms  at  pairs  of  points.  Constants  do 
not  change  their  values  when  we  move  to  pairs  of 
points.  However,  primed  and  unprimed  variables 
are  evaluated  differently.  For  any  state  variable, 
X,  and  any  pair  of  points  (Pi,  Pf), 

pPlMx)  =  vpdx) 

In  contrast, 

PPupCx')  =  vpAx) 

v(Pi,P2)0  =  vp1\p2(r) 

where  vp1\p2(ip)  follows  vp1  except  that  all  primed 
terms  are  assigned  according  to  vp2. 

•  Composite  terms  are  assigned  values  at  a  point  and 
at  a  pair  of  points  in  the  natural  way.  For  example, 

vP(X  +  Y)  =  vp(X)  +  vP(Y) 

and 

V(Pl,P2)(X  +  Y)  =  V(Pl,P2)(X )  +  V(Pl,P2)(Y ) 
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•  Similarly,  predicates  and  action  formulae  are  as¬ 
signed  truth  values  at  a  point  and  at  a  pair  of 
points,  respectively,  in  the  natural  way.  For  ex¬ 
ample, 

vp(X  <  Y)  =  true  iff  vp(X )  <  vp(Y) 

and 

v(p1,p2)(‘P  A  I)  =  true  iff 

v(Pi,P2)((P)  =  true  and  «(Pi,p2)(V9  =  true 

•  An  action  formula,  <p,  is  true  at  a  point,  P ,  iff  it  is 
true  for  all  pairs  of  points  emanating  from  P.  More 
precisely, 

vp(ip)  =  true  iff 

VP'  E  succ(P),  i ’(ptpi)(<p)  =  true 

(Since  we  have  not  needed  to  include  quantification 
in  our  language  we  are  free  to  use  ‘V’  and  ‘3’  as 
metalinguistic  shorthand.) 

•  To  interpret  the  probability  of  an  action  ^ata  point 
P ,  we  will  take  the  set  of  all  pairs  of  points,  (Pi,  P2) 
emanating  from  points  in  Ss,p  ■  Restricting  to  this 
set,  we  compute  the  probability  of  those  pairs  such 
that  V(p1,p2)(<p)  evaluates  to  true.  More  precisely, 
for  any  action  formula,  <p,  and  for  any  subject  P  C 

C, 

vp{Pr sO)  =  t*A(P)(Ss,p(<p)  I  Ss,p) 

where 

Ss,p(r)  =  {P2  I  3Pi  G  Ss,p  such  that 

P2  E  smcc(Pi)  and  V(p1,p2)(<p)  =  true  }. 

•  For  any  predicate,  ip,  and  run,  p, 

vp(x)  =  vip,i)(x) 

•  For  any  (action  or  temporal)  formula,  ip,  and  run, 

P, 

vp(C\ip)=  true  iff  Vi,  v^p^fip)  =  true 

•  A  temporal  formula  is  true  at  a  point  iff  it  is  true  in 
all  runs  extending  from  that  point.  More  precisely, 
for  any  temporal  formula,  ip, 

vp(ip)  =  V p  G  extensions(P),  vp(<p) 

•  Composite  action  formulae  and  temporal  formulae 
are  assigned  truth  values  at  points  in  the  natural 
way.  For  example, 

vp(ip  A  ip)  =  true  iff 

vp(ip)  =  true  and  vp(ip)  =  true 


•  Our  three  knowledge  operators  are  all  S5  modal 
operators  and  are  given  semantics  in  terms  of  the 
accessibility  relations  (on  points)  in  the  standard 
way;  viz,  for  powerful-subject  knowledge, 

»p(K,;(p))  =  true  iff 

VP',  Kpsowerlu\P,P')^vpi(<p)  =  true 
for  weak-subject  knowledge, 

vp(KsO)  =  true  iff 

VP',  K%eak(P,P')^vP,(<p)=  true 

and  for  permitted  knowledge, 

vp(RsO)  =  true  iff 

VP',  6s(P,  Pr)  =?  vpi  (tp)  =  true 

To  complete  our  semantics  for  probability  formulae,  we 
need  to  choose  the  sample  spaces  Ss,p  for  each  sub¬ 
ject  at  each  point.  Our  approach  is  quite  straightfor¬ 
ward.  We  will  choose  Ss,p  to  be  the  set  of  points  within 
tree(P)  that  have  the  same  history  of  inputs  and  out¬ 
puts  on  channels  S  as  occur  on  the  path  to  point  P. 
More  precisely,  we  have  the  following  definitions. 

Definition  4.2  Let  S  C  C  be  a  subject  and  let  p\  = 
(aq,/3i,7i)  and  P2  =  (ar2,  SijTi)  be  two  runs  (not  nec¬ 
essarily  in  the  same  tree).  We  say  that  p\  and  P2 
have  the  same  S-history  up  to  time  k  if  and  only  if 
Vi,  1  <  i  <  k,  Vc  G  S, 

ex\ (c,  i)  =  »2 (c,  i)  and  /3i(c,  i)  =  /^(c,  i) 

□ 

Definition  4.3  Let  S  C  C  be  a  subject  and  let  Pi  = 
(pi,ki)  and  P2  =  (P2T2)  be  two  points  (not  necessar¬ 
ily  in  the  same  tree).  We  say  that  Pi  and  P2  have  the 
same  S-history  if  and  only  if  the  following  two  condi¬ 
tions  hold. 

1.  ki=k2. 

2.  pi  and  P2  have  the  same  P-history  up  to  time  k\. 

□ 

Definition  4.4  Let  S  C  C  be  a  subject  and  P  be  a 
point;  the  sample  space  for  S  at  point  P  is  given  by 

Ss,p  =  {  P'  |  tree(P')  =  tree(P)  and 

P'  and  P  have  the  same  P-history  }  □ 

In  a  more  general  setting,  we  would  also  want  to  con¬ 
sider  the  possibility  that  a  subject  P  has  internal  state 
variables  and  could  use  these  to  make  finer  distinctions 
between  points.  However,  in  our  application,  all  of  the 
internal  processing  of  the  relevant  subjects  (viz,  Ti  and 
C)  is  encoded  in  the  adversary  and  is  thus  factored  out 
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of  the  computation  tree.  We  therefore  do  not  lose  any 
needed  generality  in  making  the  above  definition. 

Now,  to  complete  our  description  of  the  assignment 
function  we  need  only  describe  the  relations  Kpfwer^u\ 
Kgeak ,  and  6s  for  all  SC  C. 

Definition  4.5  Our  definition  of  Kgeak  (and  hence  our 
definition  of  weak-subject  knowledge)  is  the  standard 
definition  of  knowledge  in  a  distributed  system.  In  par¬ 
ticular,  for  any  two  points,  Pi  and  P2  (not  necessarily  in 
distinct  trees)  and  any  subject,  SC  C,  We  say  that  P2  is 
weak-subject-accessible  from  Pi,  denoted  cKgeak(Pi,  Pf)’ 
if  and  only  if  Pi  and  P2  have  the  same  5-history.  □ 


When  it  is  clear  from  context  what  is  meant,  we  may 
occasionally  confuse  the  meta-event  with  its  projection, 
e.g.,  we  might  write  PaCY  for  PaPaY ■ 

Observation  4.8  Every  projection  of  every  5-event  is 
measurable.  That  is,  for  any  5-event,  e,  and  any  com¬ 
putation  tree,  Ta, 

^A  £  %A 

This  is  due  to  the  restriction  on  5-events  that  they  be 
observable  within  some  finite  time.  In  particular,  the 
projection  of  an  5-event  onto  a  tree,  T,  must  also  be  ob¬ 
servable  within  a  finite  time,  and  so  it  must  be  formable 
from  a  finite  number  of  unions  and  complementations 
of  the  generators  of  T.  □ 


Our  definition  of  KPfwerful  (and  hence,  our  definition  of 
powerful-subject  knowledge)  is  novel.  In  the  analysis  of 
distributed  protocols  and  in  other  areas  of  computer  sci¬ 
ence,  it  is  typical  to  use  the  above  weak-subject  knowl¬ 
edge  accesibility  relation  (or  something  roughly  equiva¬ 
lent).  Our  definition  of  accessibility  for  powerful-subject 
knowledge  will  require  more — in  other  words,  using  this 
definition  subjects  know  more.  In  particular,  subjects 
“know”  the  probability  distribution  over  the  future  in¬ 
puts  and  outputs  on  the  channels  that  they  can  see. 
That  is,  if  the  probability  of  a  given  future  output  on 
a  low  channel  is  x,  then  (assuming  a  powerful  subject) 
the  low  environment  knows  that.  To  make  this  notion 
precise,  we  need  some  definitions. 

Definition  4.6  Let  S  C  C'  be  a  subject  and  let  e  be 
a  set  of  runs,  {pp,  (not  necessarily  taken  from  any  one 
computation  tree).  We  say  that  e  is  an  S-event  if  and 
only  if  there  exists  a  time  k  £  N+  such  that  for  any  two 
runs,  pi  and  P2,  having  the  same  5-history  up  to  time 
k,  pi  £  e  iff  p2  £  e. 

For  an  5-event,  e,  we  will  refer  to  the  least  k  such  that 
above  condition  holds  as  the  length  of  e.  □ 

Intuitively,  an  event  e  is  an  5-event  if  and  only  if  there 
is  some  finite  time  k  (i.e. ,  its  length)  after  which  S  can 
always  determine  whether  or  not  e  has  occurred. 

Note  that  in  general,  an  5-event  contains  runs  from 
more  than  one  computation  tree.  Therefore,  such 
“events”  will  not  be  measurable  in  any  of  our  proba¬ 
bility  spaces.  Rather,  we  think  of  them  as  meta  events 
and  we  will  be  interested  in  the  measure  of  the  subset 
of  the  runs  that  are  contained  in  a  given  computation 
tree.  To  make  this  precise,  we  introduce  the  following 
definition. 


Definition  4.7  Given  a  computation  tree,  Ta,  and  an 
5-event,  e,  the  projection  of  e  onto  Ta,  denoted  ca,  is 
given  by: 

eA  =  runs(TA )  D  e 


□ 


Now  we  are  ready  to  give  the  definition  of  the  knowledge 
accessibility  relation. 

Definition  4.9  Let  Pi  and  P2  be  two  points  in  (not 
necessarily  distinct)  trees  Ta1  and  Ta2,  respectively  and 
let  S  C  C'  be  a  subject.  We  say  that  P2  is  powerful- 
subject-accessible  from  Pi,  denoted  cKPs°wer^uI(Pi,  P2f  iff 

1.  Pi  and  P2  have  the  same  5-history;  and 

2.  for  any  5-event  e,  paAWsW  =  P-A2(e\Ss,P2) 


□ 

Thus,  when  two  points  are  K^°“,er^ui-accessible,  this  im¬ 
plies  not  only  that  the  two  points  have  the  same  5- 
history,  but  also,  conditioned  on  the  current  5-history, 
the  probability  distribution  on  all  5-events,  including 
future  events,  is  the  same.  As  mentioned  previously, 
using  this  definition,  subjects  “know  more”  than  when 
using  the  standard  definition.  However,  we  view  this  as 
another  case  where  we’ve  adopted  the  worst-case  sce¬ 
nario;  that  is,  we’ve  given  the  penetrators,  Tj  and  C, 
the  greatest  conceivable  knowledge  at  any  given  point 
in  the  execution  of  the  system.  We  will  see  later  in 
the  paper  that  this  choice  corresponds  to  some  exist¬ 
ing  information-theoretic  definitions  of  perfect  multi¬ 
level  security. 

Our  definition  of  permitted  knowledge  is  also  novel. 
From  our  viewpoint,  a  subject’s  permitted  knowledge 
does  not  change  over  the  course  of  the  system’s  execu¬ 
tion.  That  is,  a  given  subject’s  permitted  knowledge  is 
set  prior  to  the  start  of  execution.  (It  is  only  a  sub¬ 
ject’s  knowledge  that  changes  during  the  system’s  ex¬ 
ecution.)  Thus,  we  can  capture  a  subject’s  permitted 
knowledge  by  defining  an  accessibility  relation  on  com¬ 
putation  trees.  We  will  say  that  two  points  are  accessi¬ 
ble  if  and  only  if  they  have  the  same  5-history  and  their 
two  containing  trees  are  accessible;  roughly  speaking, 
two  computation  trees,  Ta1  and  Ta2,  will  be  accessible 
if  and  only  if  the  parts  of  the  adversaries,  _4i  and  A2, 
that  correspond  to  5  “act  the  same”  in  both  trees.  We 
make  this  precise  as  follows. 
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Definition  4.10  Let  S'  be  a  subject  and  T^1  and  T^2 
be  two  computation  trees.  We  say  that  T^2  is  A5- 
accessible  from  T^1,  denoted  cAs(T^1,T^2y  iff  for  any 
point  Pi  in  T^1  there  is  a  point  P2  in  Ta2  such  that 

1.  Pi  and  P2  have  the  same  S'-history;  and 

2.  for  any  channel  c  £  S  and  any  input  i  £  I, 
vp1{Prs{c'm  =  i))  =  vp2(Pr  s{c'm  =  *)). 

□ 

Definition  4.11  Let  S'  be  a  subject  and  Pi  and  P2  be 
two  points.  We  say  that  P2  is  8s -accessible  from  Pi, 
denoted  ‘8s(Pi,  P2)’  if  and  only  if 

1.  Pi  and  P2  have  the  same  S'-history;  and 

2.  As(tree(P1),tree(P2)). 

□ 

Thus,  the  8s  relation  reflects  the  fact  that  subjects  are 
permitted  to  know  the  conditional  probability  distribu¬ 
tion  on  their  inputs:  two  points  are  ^-accessible  (i.e. ,  as 
far  as  S  is  permitted  to  know  they  are  the  same  point)  if 
and  only  if  the  conditional  distribution  on  inputs  visible 
to  S  is  the  same  at  both  points. 

The  definition  of  permitted  knowledge  and  the  Secure 
Environment  Assumption  combine  to  isolate  the  ques¬ 
tion  that  interests  us:  “Can  the  low  environment  (£) 
come  to  know,  via  the  system  of  interest  (E),  some¬ 
thing  about  the  activity  of  the  high  environment  (P)?” 
To  see  how  this  question  is  captured,  consider  a  subset 
L  of  the  interface  of  E.  By  our  definition  of  permit¬ 
ted  knowledge,  the  low  environment,  C,  is  permitted 
to  know  how  the  inputs  on  L  are  chosen,  but  not  how 
other  (high)  inputs  are  chosen.  Further,  by  the  Secure 
Environment  Assumption,  C  cannot  get  any  informa¬ 
tion  about  how  high  inputs  are  chosen  via  any  means 
outside  of  E.  Thus,  if  the  low  environment  is  able  to 
gain  some  information  that  it  is  not  permitted  to  know, 
it  must  have  been  information  about  the  high  environ¬ 
ment  and  it  must  have  been  gained  via  E. 

In  the  remainder  of  the  paper,  for  a  point  P,  formula  ip, 
and  set  of  formulae  ,  ,  we  will  use  ‘ P  \=  ip’  to  indicate 
that  1 p  is  true  at  P,  and  lP  \=  ,  ’  to  indicate  that  all 
members  of  ,  are  true  at  P.  Finally,  we  will  use  ‘,  |= 

1 p’  to  indicate  that  p  is  true  at  all  worlds  at  which  all 
members  of  ,  are  true. 

4.3  Soundness 

In  §5  below  we  give  a  syntactic  characterization  of  se¬ 
curity  and  show  that  the  semantic  interpretation  of 
our  syntactic  characterization  of  security  is  equivalent 
to  certain  previously  developed  information-theoretic 


characterizations.  However,  the  significance  of  these  re¬ 
sults  is  reduced  unless  the  logic  is  sound.  For,  without 
soundness  there  is  no  guarantee  that  any  formal  proof 
of  security  we  might  give  for  a  system  implies  any  in¬ 
dependently  motivated  notion  of  security.  A  soundness 
theorem  gives  us  just  such  a  correspondence.  The  above 
given  logic  is  sound  with  respect  to  the  above  given  se¬ 
mantics.  A  proof  is  is  set  out  in  [GS95] . 

This  completes  our  discussion  of  the  logic  itself.  In  the 
remainder  of  the  paper  we  focus  on  security  and  appli¬ 
cations  of  the  logic  thereto. 

5  Formal  Definition  of  Security 

In  this  section,  we  give  a  definition  of  security — which 
we  call  the  Formal  Security  Condition  (FSC) — using  the 
time  and  knowledge  operators  of  our  logic. 

Definition  5.1  Let  L  C  C'  be  a  subject.  Suppose  , 
is  a  set  of  premises  that  describe  a  system  E.  We  say 
that  ,  satisfies  the  Formal  Security  Condition  (FSC) 
with  respect  to  L  if  and  only  if,  for  every  b  £  0[L\,  the 
formula 

U(Prp(L'  =  b)  =  r  — >■  Kp(Prp(L '  =  b)  =  r)) 
is  derivable  from  ,  . 

We  say  that  ,  satisfies  the  Semantic  Interpretation  of 
the  FSC  with  respect  to  L  if  and  only  if,  for  every  b  £ 

0[L], 

,  |=  n(PrL(L'  =  b)  =  r->-  KL(PrL(L'  =  b)  =  r)) 

□ 

Intuitively,  FSC  says  that  at  all  times  the  low  environ¬ 
ment  knows  the  probability  distribution  on  its  next  out¬ 
put. 

5.1  Relationship  to  Probabilistic  Noninter¬ 
ference 

In  this  subsection  we  recall  the  definition  of  Proba¬ 
bilistic  Noninterference  (PNI),  as  given  in  [Gra92],  and 
prove  that  the  semantic  interpretation  of  FSC  is  equiv¬ 
alent  to  PNI. 

Definition  5.2  Let  _4i  and  A2  be  two  adversaries  that 
satisfy  the  Secure  Environment  Assumption.  We  will 
say  that  _4i  and  A2  agree  on  L  behavior  iff  there  exist 
Pi,  P 2,  and  C  such  that  Pi  and  C  are  the  unique  prob¬ 
ability  functions  that  describe  _4i  (as  in  Definition  2.2) 
and  P2  and  C  are  the  unique  probability  functions  that 
describe  A 2.  □ 

Now,  we  state  the  definition  of  PNI  in  terms  of  our 
model. 
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Definition  5.3  Let  S  be  a  system  with  computation 
trees  T(£).  We  say  that  £  satisfies  Probabilistic  Non¬ 
interference  (PNI)  with  respect  to  a  subject  L  C  C'  iff 
for  any  two  trees  satisfying  the  Secure  Environment  As¬ 
sumption,  Ta,  Ta>  E  T (£)  and  any  L-event,  e,  if  A  and 
A!  agree  on  L  behavior,  then 

SAp)  =  tiA'(e) 

□ 

PNI  is  equivalent  to  Browne’s  (independently  devel¬ 
oped)  Stochastic  Non-Interference  [Bro89].  The  signifi¬ 
cance  of  PNI  is  that  it  is  arguably  a  necessary  and  suffi¬ 
cient  condition  for  a  system  to  be  free  of  covert  channels 
(cf.  [Bro91]). 

Before  we  state  the  main  result  of  this  section,  we  state 
a  lemma  that  is  also  interesting  in  its  own  right.  Space 
limitations  prevent  the  inclusion  of  proofs  of  our  results 
here. 

Lemma  5.4  Suppose  that  Ta  and  Ta>  are  two  trees 
that  agree  on  L  behavior  (and  satisfy  the  Secure  En¬ 
vironment  Assumption).  Further  suppose  that  for  any 
two  points,  Pi  G  Ta,  P2  E  Ta>  ,  and  any  low  output 
vector,  b  G  0[L\,  if  Pi  and  P2  have  the  same  L-history, 
then 

vPl{PrL{L'0Ut  =  b))  =  vp2{PrL{L'0Ut  =  b)) 

Then,  for  any  L-event,  e, 

Sa{za)  =  VA'(eA') 

□ 

We  can  now  state  the  following  theorem  relating  PNI 
and  FSC. 

Theorem  5.5  Let  ,  be  a  set  of  formulae  describing  £ 
and  let  L  C  C'  be  a  subject.  Then,  £  satisfies  PNI  with 
respect  to  L  iff  ,  satisfies  the  semantic  interpretation  of 
FSC  with  respect  to  L.  □ 

A  significance  of  this  theorem  is  that  (given  soundness 
as  proven  in  [GS95])  verifying  that  a  system  satisfies 
FSC  is  equivalent  to  showing  that  it  satisfies  PNI,  which 
(as  was  previously  mentioned)  is  a  necessary  and  suffi¬ 
cient  condition  for  a  system  to  be  free  of  covert  channels. 

5.2  Examples,  continued 

We  note  here  that  the  security  of  the  encryption  box  of 
Example  3.1  with  respect  to  a  subject  L  C  C'  is  formally 
derivable.  In  fact,  once  the  assumptions  are  written 
down,  there  is  virtually  nothing  to  prove.  Recall  the 
system  specification:  If  C  =  {h,l},  I  =  {0,1},  and 


O  =  {0,  1},  then,  the  system  is  specified  by  the  following 
formula. 

1=1  (Prc(l'out  =  0)  =  PrcCout  =  1)  =  0-5) 

Recall  also  that  subjects  are  assumed  to  always  know 
that  the  system  description  holds  at  all  times.  Thus, 

,  =  {UKLU  ( PrL(L'0Ut  =  0)  =  PrL(L'0Ut  =  1)  =  0.5)} 

The  only  b  G  0[L]  are  O  and  1;  hence,  FSC  with  respect 
to  L  for  this  system  is: 

°  (Prc(L'0Ut  =  0)  =  0.5  A  Prc{L'0Ut  =  1)  =  0.5)  - 

Kl  ( PrdLCt  =  0)  =  0.5  A  PrL(L'0Ut  =  1)  =  0.5) 
But,  this  is  trivially  derivable  from  ,  . 

We  also  observe  that  for  the  insecure  encryption  box 
of  Example  3.2  ,  1/  FSC  (where  ,  encompasses  those 
formulae  that  embody  the  system  description  and  our 
assumptions  about  knowledge  thereof).  It  is  obvious 
that  the  insecure  encryption  box  fails  to  satisfy  PNI. 
By  the  attack  described  in  the  original  example,  we  can 
easily  find  two  adversaries  that  satisfy  the  Secure  En¬ 
vironment  Assumption  and  agree  on  low  behavior  and 
yet  disagree  on  the  probability  of  certain  low  events.  In¬ 
deed,  the  low  environment  can  assign  0/1  probabilities 
to  any  output  sent  by  the  high  part  of  the  adversary. 
By  theorem  5.5,  we  thus  have  that  ,  SSC.  And,  by 
soundness,  it  follows  that  ,  I /  FSC . 

6  Conclusions  and  Relation  to  Previous 
Results 

In  [GS92]  a  definition  of  security  was  presented  that 
we  called  the  Syntactic  Security  Condition  (SSC). 
In  [GS95]  this  was  rendered  into  the  framework  of 
this  paper  using  the  powerful-subject-knowledge  and 
permitted-knowledge  operators  of  our  logic.  This  def¬ 
inition  is  based  on  the  definition  of  “Causality”  given 
by  Bieber  and  Cuppens  [BC92],  which  was  based  on  the 
work  of  Glasgow,  MacEwen,  and  Panangaden  [GMP90]. 
SSC  says  that  a  system  is  secure  with  respect  to  the  set 
of  low  processes,  L,  if  and  only  if,  for  any  logical  for¬ 
mula  ip,  the  following  formula  is  derivable  from  the  given 
premises  describing  the  behavior  of  the  system  £. 

□  (K  l(p)^Rl(p))  (1) 

Although  the  statement  of  SSC  is  almost  syntactically 
identical  to  Bieber  and  Cuppens’  definition  of  Causal¬ 
ity,  due  to  the  differences  in  the  semantics  of  the  re¬ 
spective  logics,  the  meanings  of  SSC  and  Causality  are 
different.4  In  fact,  it  is  straightforward  to  show  that  for 
deterministic  systems,  the  meaning  of  SSC  is  equivalent 

4  For  technical  reasons,  Bieber  and  Cuppens’  definition  omitted 
the  □  operator. 
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to  the  meaning  of  Causality.  Thus,  since  SSC  addition¬ 
ally  applies  to  probabilistic  systems,  SSC  can  be  viewed 
as  a  generalization  of  Causality.  However,  since  SSC 
requires  that  we  have  a  derivation  for  all  formulae  of 
the  language,  even  those  having  nothing  to  do  with  the 
system,  it  is  of  limited  value  for  verification. 

This  led  us  to  develop  a  syntactic  verification  condition. 
Though  the  syntactic  verification  condition  we  origi¬ 
nally  gave  in  [GS92]  appears  somewhat  complex,  the  for¬ 
mula  given  in  [GS95],  hereafter  called  ‘SVC’,  is  almost 
the  same  as  FSC.  The  only  difference  is  that  SVC  has  a 
subscript  C  in  the  antecedent  where  FSC  has  a  subscript 
L,  i.e.,  n(Prc(L'  =  b)  =  r  —>  KL(PrL(E'  =  b)  =  r)) 
instead  of  □(Pr^T'  =  b)  =  r  — >■  Kl^Ptl^L1  =  b)  = 
r)). 

Though  subtle  the  difference  is  important,  primarily  be¬ 
cause  SVC  is  too  strong.  Recall  Example  3.1,  the  secure 
encryption  box.  In  that  example  the  exclusive-or  of  each 
high  input  bit  was  taken  with  a  bit  of  key  stream  that 
was  equally  likely  to  be  0  or  a  1.  The  result  was  then 
output  to  low  at  the  next  clock  tick.  Consider  the  fol¬ 
lowing  variation  on  this.  The  result  of  the  XOR  is  out¬ 
put  to  high  rather  than  to  low  one  tick  after  each  high 
bit  is  input.  The  same  value  is  then  output  to  low  on  the 
next  tick.  (This  might  be  done  for  auditing  purposes. 
In  this  sense  the  example  is  reminiscent  of  one  given  in 
[McL90].)  It  should  be  readily  apparent  that  the  en¬ 
cryption  box  in  this  example  is  still  secure.  It  should 
also  be  readily  apparent  that  this  example  violates  SVC 
but  not  FSC.  Thus  SVC  is  too  strong  a  criterion  for  mul¬ 
tilevel  security.  Whether  FSC  or  SVC  is  easier  to  verify 
is  impossible  to  say  without  further  practical  examina¬ 
tion.  Our  examples  above  are  too  trivial  to  be  taken  as 
representative.  As  of  this  writing  we  are  still  examining 
these  and  other  verification  conditions  for  their  practi¬ 
cal  significance.  Regardless  of  which  condition,  if  any, 
ultimately  proves  to  be  practically  useful,  FSC  remains 
of  theoretical  importance:  its  meaning  is  equivalent  to 
PNI,  and,  unlike  SSC,  it  is  in  principal  syntactically 
verifiable. 

SVC  also  remains  important,  for  tying  logical  char¬ 
acterizations  of  security  to  information-theoretic  char¬ 
acterizations.  The  same  is  true  for  SSC,  perhaps  all 
the  more  so  because  it  is  itself  a  version  of  a  previ¬ 
ous  characterization  of  security  [GMP90,  BC92].  How¬ 
ever,  in  order  to  provide  that  connection  in  the  case 
of  SSC  we  were  forced  to  represent  the  somewhat  un¬ 
usual  modalities  of  strong-subject  knowledge  and  per¬ 
mitted  knowledge.5  And,  this  required  the  development 
of  rather  complex  accessibility  relations  to  capture  them 

5 That  the  meaning  of  SSC  is  equivalent  to  PNI  was  first  pre¬ 
sented  in  [GS92].  Proof  of  this  result  with  respect  to  the  logical 
framework  of  this  paper  is  given  in  [GS95].  Similarly,  the  connec¬ 
tion  between  SVC  and  an  information-theoretic  condition  (AFM) 
was  first  presented  in  [GS92]  and  proven  in  the  current  framework 
in  [GS95]. 


semantically.  While  these  are  revealing  and  interesting 
in  their  own  right,  FSC  requires  only  a  standard  knowl¬ 
edge  operator  with  a  standard  semantics.  That  is  one 
more  advantage  to  this  characterization. 

Finally,  we  note  that  it  only  became  apparent  to  us  that 
we  could  effectively  capture  PNI  using  FSC  after  refor¬ 
mulating  the  earlier  work  of  [GS92]  in  the  framework 
presented  here.  This  provides  further  evidence  that  the 
framework  introduced  herein  is  a  useful  one. 
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